As attackers and defenders are now utilising AI and Machine Learning, the never-ending game of chess between both sides has reached unprecedented heights. Defenders should start with utilising AI and Machine Learning’s help with anomaly detection, threat intelligence, incident response and risk assessment. The crucial point is not to get carried away.

Tomas Zatko is a Board member at Boltonshield in Switzerland. Tomas hacked the bank that holds your money. Don’t worry, though – he was on the good side, with the valid contract and the goal to help. Tomas found his hacker talent back in childhood – wrote his first program as eight years old, later deciding to make the world more secure. Tomas has more than fifteen years of professional experience in IT security, helping companies ranging from e-commerce to major financial institutions.

Check out his interview with Samir Aliyev, CEO and Founder of the Swiss Cyber Institute where Samir discusses with Tomas, the challenging paradox of cybersecurity, where age-old tactics intersect with cutting-edge innovation.

As cyber threats become increasingly sophisticated, traditional cybersecurity measures struggle to keep pace. What should companies do to adapt their defence strategies?       

The main one would be the integration of offensive and defensive security. In the past, offensive and defensive security were often seen as two separate disciplines. However, in today’s threat landscape, it is essential to integrate these two approaches to achieve a comprehensive security posture. This means sharing information and collaborating between the offensive and defensive teams to identify and mitigate threats.

How do you see Artificial Intelligence (AI) and Machine Learning (ML) contributing to safeguarding organizations’ critical assets? 

The endless game of chess between attackers and defenders has reached a whole new level as both sides are now utilising AI / ML. Defenders should start with utilising its help with anomaly detection, threat intelligence, incident response and risk assessment. The crucial point is not to get carried away. We are still quite far from the point where AI will take our jobs away. We need to keep seeing it as a tool that we humans use. It will be a crazy ride. I am sure about that.

Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?       

CISOs are providing strategic advice to the business. A future-ready CISO must comprehend and align with business objectives, engage in comprehensive risk management, foster cross-departmental collaboration, and promote talent development. Simultaneously, they need to stay abreast of emerging technologies, regulatory changes, and adopt a proactive, rather than reactive, approach to cybersecurity, while managing incident responses effectively. In essence, tomorrow’s CISO is a harmonious blend of a business leader, risk manager, technologist, and strategist.

Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?    

The work of cybersecurity pros can feel unappreciated. When things are quiet, people ask, “Why do we pay you if nothing’s going wrong?” But when there’s a problem, they ask, “Why do we pay you if you didn’t stop this?” This tricky situation shows why measuring a CISO’s worth isn’t easy. Their real value comes not just from handling problems, but also from the quiet wins: fewer security problems, keeping up with rules and laws, quick responses to issues, saving money through good security practices, teaching employees about cybersecurity, communicating effectively with both technical and non-technical audiences, getting better at handling cybersecurity over time, and managing risks well. It’s a tough job, with many different roles and responsibilities to juggle.

The importance of communication cannot be overstated, as it allows CISOs to explain the risks to the organization, build support for security initiatives, and get buy-in from stakeholders.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

Having a CISO on the board is vital; it shows that cybersecurity is viewed as a strategic concern, not just an operational one, and fosters a security-conscious culture. Who the CISO reports to also matters. Direct reporting to the CEO or the board, rather than the CIO, underscores the strategic importance of cybersecurity and allows for a balanced approach between operational goals and risk management. Ultimately, the CISO needs sufficient visibility and authority to influence decisions and advocate for a security-centric culture.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

While AI and Machine Learning hold immense promise in cybersecurity, the hype around them as the ultimate solution is somewhat overrated. They need high-quality data, can produce false alerts, and can’t (yet) replace the human intuition and strategic thinking required in security. Thus, it’s crucial to remember that they are tools to aid, not replace, a well-rounded cybersecurity approach that includes technology, people, and processes.

And I am saying this as a big fan of Machine Learning.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

I think this one didn’t change for years, and it is still the human-centred basic cyber hygiene. Using MFA, creating strong passwords, and not reusing passwords. It also includes installing security updates, backing up data regularly, and being suspicious of emails and links – everyone is trying to phish you.

I am confident this is clear for the participants of the Global Cyber Conference. It is, however, deeply underrated by the average user.